New Android Malware Can Reinstall Itself

Because Android is the world's most popular smartphone operating system, it follows that malefactors would develop some of the most harmful malware for it. A program called Android.Oldboot represents the first-ever Android bootkit: a Trojan that can reinstall itself every time the system reboots.

Russian antivirus firm Doctor Web first described the bootkit, which Doctor Web says has spread to 350,000 devices across Europe, North America and Asia — China, in particular. Chinese users possess 322,000 of the Android.Oldboot-infected devices.

The bootkit targets Android's kernel, the deepest part of an OS. Not only is malware extremely difficult to remove from the kernel, but it can also rewrite a device's rebooting procedures from there.

This means that removing the malware manually, or even wiping the device entirely, will not actually remove the malware. The system can spawn a new copy upon each reboot.

Android.Oldboot is a fairly dangerous bit of malware. The program connects Android devices to a remote server, which can compel them to download, install and remove various apps. This is obviously a problem if it installs apps that send texts to paid services or that dig through your phone for financial information.

If you purchased your phone through a reliable vendor and elected to use its built-in software, you don't have much to worry about. Android.Oldboot spreads via infected Android builds, meaning that you're only at risk if you've chosen to root your Android device by "flashing" it with new firmware. If so, you should make sure that your installation comes from a reliable website.

Users buying devices from China should also take care, as bootkit-infected devices appear to come overwhelmingly from Chinese vendors of secondhand phones. It's not clear whether these vendors are installing the malware on purpose or just using a faulty Android build by accident.

The bad news is that if you acquire an infected device or manage to infect your own, there isn't much you can do, short of flashing it with a different OS image and firmware. Even though Android anti-virus software can remove the offending program, these anti-virus programs cannot prevent the malware from reinstalling itself upon each reboot.

Developers may yet find a way to address Android.Oldboot, but the lesson is clear either way: Buy phones from a reliable vendor, and root your device at your own risk.